An XEE attack is a type of an application attack. It's also called a billion laughs attack or an XML bombs attack. The essence of this attack is that an insecurely configured XML parser processes external data. As a result of this attack, you may get denial of service (DoS).
Note. XEE and XXE are different attack types. You can read about an XXE attack here.
XML files may contain the document type definition (DTD). DTD allows us to define and use XML entities. Entities can either refer to some external resource or be fully defined inside the document. In the latter case, they can be represented by a string or other entities, for example.
An XML file with examples of such entities:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;">
]>
<foo>&lol1;</foo>
The file contains the 'lol' and 'lol1' entities. The first entity is defined through a string, and the second one — through other entities. The value of the 'lol1' entity results in the 'lollol' string.
You can increase the nesting and the number of entities. For example, like this:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<foo>&lol2;</foo>
The 'lol2' entity expands as follows:
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollol
So-called XML bombs are created in a similar way, by increasing the number of nested entities. XML bombs are small files that enlarge when entities are expanded. That's where the name of this attack type comes from:
Thus, a hacker can perform a DoS attack with XML bombs if:
Below is an example of code vulnerable to an XEE attack:
static void XEETarget(String pathToXml)
{
XmlReaderSettings settings = new XmlReaderSettings()
{
DtdProcessing = DtdProcessing.Parse,
MaxCharactersFromEntities = 0
};
using (var xml = File.OpenRead(pathToXml))
{
using (var reader = XmlReader.Create(xml, settings))
{
while (reader.Read())
{
if (reader.NodeType == XmlNodeType.Text)
Console.WriteLine(reader.Value);
}
}
}
}
In this code fragment, reader parses an XML file. This parser is vulnerable to XML bombs since it was created with insecure settings:
As a result, the parser may freeze in attempt to parse an XML bomb and start consuming a large amount of memory.
If you want to make a parser resistant to XEE attacks, it is enough to set at least one of the following options for it:
Below is an example of settings in which the DTD processing is allowed, but the maximum size of entities is limited:
XmlReaderSettings settings = new XmlReaderSettings()
{
DtdProcessing = DtdProcessing.Parse,
MaxCharactersFromEntities = 1024
};
If, during the XML file parsing, the size of entities exceeds the set limits, then the XML parser throws an exception of the XmlException type.
Note that the default settings of some XML parsers may vary in different versions of libraries. For example, Microsoft changed the settings of some XML parsers between .NET Framework 4.5.1 and .NET Framework 4.5.2, making them more secure by default.
Look at the example:
static void XEETarget(String pathToXml)
{
using (var xml = File.OpenRead(pathToXml))
{
var settings = new XmlReaderSettings()
{
DtdProcessing = DtdProcessing.Parse
};
using (var reader = XmlReader.Create(xml, settings))
{
while (reader.Read())
{
// Process XML
}
}
}
}
This code fragment is vulnerable to XEE attacks in .NET Framework 4.5.1 and older versions. It does not set limits on entities size — the value of the MaxCharactersFromEntities property is 0. In .NET Framework 4.5.2 and newer versions a limit on entities size is set by default. As a result, this code fragment is resistant to XEE attacks.
0